Stage 2: Access to Personal Demographics Service

Describes the required NHS Digital approval of Usage and Settings that mainly relates to the End User

Summary

Describes how all End User organisations wishing to query a subset of demographic information (via SMSP for PDS) must obtain Usage and Settings approval.

Essential first steps

Before requesting access to PDS via SMSP, End User organisations must have:

Used the latest version of the online Information Governance (IG) Toolkit to assess themselves against Information Governance policies and standards. The IG Toolkit covers information security and IG within the End User organisation. The result must be inserted in the TOM so that it can be reviewed by NHS Digital.

Completed the Information Governance Statement of Compliance (IGSoC); the process by which organisations enter into an agreement with NHS Digital for access to the Health and Social Care Network (HSCN – formerly N3) and resultant services. The process includes elements that set out terms and conditions for use of NHS Digital systems and services, including HSCN, in order to preserve their integrity.

Usage and Settings approval

As described in theNHS Digital compliance process, if an End User organisation will be deploying the Client, Usage and Settings approval must be obtained. This involves NHS Digital assessments of:

Whether the purpose for which the data is required represents a legal basis for sharing that data with the organisation, if the purpose is not direct care (as defined in the Caldicott Review 2013). The PDS Access Request scrutiny process is owned by NHS Digital Information Asset Owner for PDS and described in detail in the PDS Access Request Brief. The PDS Access Request process is concerned with the authority for a non-NHS organisation to access the PDS; it is the organisation that is granted authority at the end of the process. The associated legal agreements are the DSFC and the DSA which are also explained in the briefing document.

The system(s) and setting in which the data will be used to ensure that Information Security and business process requirements are complied with.

The overall Usage and Settings assessment is achieved by completing Phase 1a Usage and Settings sections in the TOM and submitting the information to NHS Digital. These sections of the TOM are normally completed by the End User organisation, overseen and supplemented by the Supplier as appropriate.

On receipt of the TOM, the NHS Digital Demographics Team will scrutinise the details, including:

The organisation type and type of service

The purpose of requesting the data (the ‘use case’ including business flows of data, systems that data will flow through, user base etc.)

Governance and IG arrangements, including Existing Data Sharing contracts with NHS Digital such as Data Sharing Framework Contract (DSFC) and any Data Sharing Agreements (DSAs) between the requesting organisation and NHS Digital. NB each purpose will have a separate DSA.

The outcome of this scrutiny will be approval (or rejection) of the End User (organisation) access request.